Commit 75718584 authored Jan 13, 2020 by Vladis Dronov Committed by David S. Miller Jan 14, 2020

ptp: free ptp device pin descriptors properly

There is a bug in ptp_clock_unregister(), where ptp_cleanup_pin_groups()
first frees ptp->pin_{,dev_}attr, but then posix_clock_unregister() needs
them to destroy a related sysfs device.

These functions can not be just swapped, as posix_clock_unregister() frees
ptp which is needed in the ptp_cleanup_pin_groups(). Fix this by calling
ptp_cleanup_pin_groups() in ptp_clock_release(), right before ptp is freed.

This makes this patch fix an UAF bug in a patch which fixes an UAF bug.

Reported-by: Antti Laakso <antti.laakso@intel.com>
Fixes: a33121e5 ("ptp: fix the race between the release of ptp_clock and cdev")
Link: https://lore.kernel.org/netdev/3d2bd09735dbdaf003585ca376b7c1e5b69a19bd.camel@intel.com/

Signed-off-by: Vladis Dronov <vdronov@redhat.com>
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

parent a112adaf

drivers/ptp/ptp_clock.c

+2 −2

Original line number	Diff line number	Diff line
		@@ -170,6 +170,7 @@ static void ptp_clock_release(struct device *dev)
		{
		struct ptp_clock *ptp = container_of(dev, struct ptp_clock, dev);

		ptp_cleanup_pin_groups(ptp);
		mutex_destroy(&ptp->tsevq_mux);
		mutex_destroy(&ptp->pincfg_mux);
		ida_simple_remove(&ptp_clocks_map, ptp->index);
		@@ -302,9 +303,8 @@ int ptp_clock_unregister(struct ptp_clock *ptp)
		if (ptp->pps_source)
		pps_unregister_source(ptp->pps_source);

		ptp_cleanup_pin_groups(ptp);

		posix_clock_unregister(&ptp->clock);

		return 0;
		}
		EXPORT_SYMBOL(ptp_clock_unregister);